0

I'm trying to get byte array from file, interpret it like uint64_t and then cast this uint to FILETIME

After googling around and debugging a bit I've stuck at following wrong working code.

uint64_t win_filetime = *(uint64_t*)(&(((char*)buf)[(int)FILETIME_OFFSET]));
//at this moment win_filetime = 0x01cb3f90e7b52500

where buf contains needed bytes at FILETIME_OFFSET

Then trying to cast t1 = *(FILETIME *)(&win_filetime); or 

t1.dwLowDateTime = (DWORD)win_filetime;
t1.dwHighDateTime = (DWORD)(win_filetime >> 32);

to pass it to the function 

tm FILETIME_to_time_t(const FILETIME *lpFileTime) {

  time_t result;

  SYSTEMTIME st;

  struct tm tmp;

  FileTimeToSystemTime(lpFileTime,&st);

  memset(&tmp,0,sizeof(struct tm));

  tmp.tm_mday = st.wDay;
  tmp.tm_mon  = st.wMonth - 1;
  tmp.tm_year = st.wYear - 1900;

  tmp.tm_sec  = st.wSecond;
  tmp.tm_min  = st.wMinute;
  tmp.tm_hour = st.wHour;

  return tmp;
}

Function FILETIME_to_time_t() returns rubbish(i.e. year = 110)

Sample value from file: 0025B5E7903FCB0100 that HexWorkshop correctly parsing as 11:23:10 19.08.2010

Maybe there is lack of endianness conversion or another thing that I'm unable to spot now?

im_infamous
  • 327
  • 1
  • 3
  • 17
  • Are you sure year=110 isn't just 2010 after you subtract 1900 in your code? – John Zwinck Jan 22 '15 at 07:05
  • Yep, nice catch. I've replaced this with direct `record->filetime->tm_year = record->filetime->tm_year - 1900;` before strftime. Many thanks for help. – im_infamous Jan 22 '15 at 07:20
  • You're welcome--I reformulated the comment as an answer in case that solved your problem so you can accept it. – John Zwinck Jan 22 '15 at 07:28

1 Answers1

0

It seems your code is OK, it's just that the year shows 110 because you subtract 1900 in your code when populating the struct tm. That's standard though--struct tm is supposed to contain the year minus 1900. You just need to be careful when printing the value.

John Zwinck
  • 239,568
  • 38
  • 324
  • 436